One problem that SharePoint Server Administrators regularly
encounter is this:How can I know when an extranet user
from a partner company leaves the company, and how can I avoid accumulating
inactive accounts for users that no longer exist that are just “sitting out
there?”

Unfortunately, it is nearly impossible to keep up with the
“comings and goings” of extranet users who are employees of partner companies.

But Extranet Collaboration Manager 2010 (ExCM) contains within it the capability of helping
our clients with specific extranet user security needs like this. The ExCM User
Automation (UA) feature can be used to apply recurring policies to accounts
residing in the ExCM user database. These
policies are applied by a SharePoint Timer Job, which periodically inspects
each account. UA can be used to expire
user accounts based on attributes such as periods of inactivity or failure to
update their password within a specified period, solving the problem of user
account “housekeeping.”

Configuration

As with the other ExCM Advanced Features, (see the previous
two posts) you first need to enable the SharePoint Service object, which is
used to provide farm-wide services and configuration data. To activate the service, open the SharePoint
Management Shell and type the following command:

Once that is configured, a new menu appears under “Extranet
Settings” from the Site Settings page:

From within this menu, all UA options are available. You can expire accounts based on two
attributes: activity and password change.
You can also choose to use both attributes in combination. Available options include when the policy
will go into effect; how far ahead of that time the user will receive an email
notification; and how often the expiration notification will be repeated:

In this case, I would like to expire accounts based on
inactivity. To achieve this, I will disable all the password attributes using
the default values provided:

Now that the User Automation options have been configured via
the ExCM user interface, I’ll need to edit the OWSTIMER.EXE configuration.
Specifically, the job must be able to read and write data to the database where
the extranet users are located. This
file is found at the following location:

Please note that some values in the example above, such as
SQL server name and membership providers, may be different in your file. Once the edits have been made and the file
has been saved, be sure to perform an IIS reset.

Now that I have configured the UA options and subsequently configured
the timer job, I want to monitor the job’s execution. Here’s how you do it. Navigate to Central Administration:

From Central
Administration’s Home page, click Monitoring

On the
Monitoring page, under the Timer Job section, click Check
job status

From
the Timer Job Status page, in the view filter, click Service

In the
Service filter, click Change Service

From
the Select Service dialog, click Extranet Service

In summary, many organizations using ExCM to manage their
extranet need to provide specific and ongoing security for extranet user accounts. For example, if an employee with an extranet
account leaves the company, a “live” account with working security credentials
is potentially abandoned. Realistically,
it is nearly impossible for a client running a SharePoint extranet to manually keep
up with the employment status of extranet users from partner companies. Without
ExCM 2010’s User Automation functionality, abandoned extranet user accounts
would accumulate and could pose a security threat. With ExCM 2010’s UA feature, SharePoint
Administrators can have the peace of mind of knowing that abandoned accounts
can be expired automatically based on periods of inactivity, failure to update
passwords, or both.